From a261b8df59117f7dc52abb3a34b35a40c2c9fa88 Mon Sep 17 00:00:00 2001
From: Tim Rice <tim@multitalents.net>
Date: Wed, 18 Jun 2014 16:17:28 -0700
Subject:  - (tim) [openssh/session.c] Work around to get chroot sftp working
 on UnixWare

---
 ChangeLog |  3 +++
 session.c | 15 ++++++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index f7c5b1297..ccc9407ed 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+20140618
+ - (tim) [openssh/session.c] Work around to get chroot sftp working on UnixWare
+
 20140617
  - (dtucker) [entropy.c openbsd-compat/openssl-compat.{c,h}
    openbsd-compat/regress/{.cvsignore,Makefile.in,opensslvertest.c}]
diff --git a/session.c b/session.c
index c0b0a942e..11f2571e0 100644
--- a/session.c
+++ b/session.c
@@ -1505,6 +1505,9 @@ void
 do_setusercontext(struct passwd *pw)
 {
 	char *chroot_path, *tmp;
+#ifdef USE_LIBIAF
+	int doing_chroot = 0;
+#endif
 
 	platform_setusercontext(pw);
 
@@ -1544,6 +1547,9 @@ do_setusercontext(struct passwd *pw)
 			/* Make sure we don't attempt to chroot again */
 			free(options.chroot_directory);
 			options.chroot_directory = NULL;
+#ifdef USE_LIBIAF
+			doing_chroot = 1;
+#endif
 		}
 
 #ifdef HAVE_LOGIN_CAP
@@ -1558,7 +1564,14 @@ do_setusercontext(struct passwd *pw)
 		(void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK);
 #else
 # ifdef USE_LIBIAF
-	if (set_id(pw->pw_name) != 0) {
+/* In a chroot environment, the set_id() will always fail; typically 
+ * because of the lack of necessary authentication services and runtime
+ * such as ./usr/lib/libiaf.so, ./usr/lib/libpam.so.1, and ./etc/passwd
+ * We skip it in the internal sftp chroot case.
+ * We'll lose auditing and ACLs but permanently_set_uid will
+ * take care of the rest.
+ */
+	if ((doing_chroot == 0) && set_id(pw->pw_name) != 0) {
 		fatal("set_id(%s) Failed", pw->pw_name);
 	}
 # endif /* USE_LIBIAF */
-- 
cgit v1.2.3